Cisco VPN and LAN/Internet access

Hi,
I use Cisco VPN client to connect to a remote system from my corporate LAN.
My PC has Windows XP SP2.

Cisco server blocks access to my LAN and internet so I uses a virtual machine only dedicated to the VPN so I can access to LAN and internet from my physical PC and VPN from the virtual machine.

Since I spend more time using the VPN, I'd like to invert the situation, have the VPN on the physical PC and LAN and internet on the virtual machine: I know this isn't possible, but my question is this: in case I add a second NIC, is it possible to use from physical PC one NIC decicated to the VPN and from the virtual machine the other NIC dedicated to LAN and internet access?
If so, is there any particular configuaration to set?

First of all, there is an easy way to solve this before going for virtual machines/NICs. To what do you connect using the Cisco VPN Client? PIX or a Concentrator?

On the other end, they should configure something called 'split-tunneling'. What this does is, only those traffic intended for vpn is encrypted and routed to your other end and all your local traffic flows as normal.

So I would suggest you to talk to the other end person to configure this and will make your life a lot easier. All it takes is to add an entry with an access-list as below;

Adding another NIC wouldn't solve your problem. What I don't understand is, how is security compromised by enabling Split-Tunneling. Infact by not enabling it, he is letting all your traffic go through him (Even Internet).

You can be compromised in some fashion by an internet based control mechanism. Then in turn you connect to the VPN. With split tunnelling enabled the Evil Hacker still has access to your machine but now also then has access to the VPN network

Without split tunneling as soon as the tunnel comes up then access for Evil Hacker drops and is then covered under the security mechanisms of the Corp Network.

This would be a specific attack where in attacker is in need of data from the other network. 70% of the attacks are just destructive where in you inject and then the job is relied on what you are injected. In such cases, whether you enable split tunneling or not it doesn't matter really. Take a Virus, Take a worm. Or even take a backdoor itself; In steps;

1. First attack the VPN Client.
2. Second get that into the Corp. Network through the connection.
3. Then he can get the data directly from Corp. Network (Doesn't have to wait for the data to come back to the VPN Client and then go back to him.

Also if you note that, we are not talking about a 'home user', the author is trying to connect to the remote Server from his 'Corporate Network'. Adequate Security Measures is a responsibility and I'm sure you'll agree we have to have 2 visions about a 'home user' and 'corp user'.

And finally absolute security cannot be achieved but we can be pursuing to do it.

Cheers,
Rajesh

0

Featured Post

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.